I have this message popping up once or twice a day in suricata.log:
2025-04-02 13:55:09 Warning: streaming-buffer: StreamingBuffer::GrowRegionToSize() tried to alloc 1073742368 bytes, exceeds limit of 1073741824
Is that a hard-coded limit or something that be altered in settings? Is this something worth fixing?
Suricata 7.0.9 installed from package on RHEL 8
Hard to tell without much more details. So please add:
suricata.yamlstats.logsuricata.logsuricata --build-infoThis ist indeed a hardcoded limit in util-streaming-buffer.c:
if (size > BIT_U32(30)) { // 1GiB
if (!g2s_warn_once) {
SCLogWarning("StreamingBuffer::GrowRegionToSize() tried to alloc %u bytes, exceeds limit of %" PRIu32, size, BIT_U32(30));
g2s_warn_once = true;
}
return SC_ELIMIT;
}
I have exactly the same problem on our napatech-driven multi-gigabit sensors with suricata 8.0.3 and 8.0.4. And it seems to be independent of the stream memcap settings in the suricata.yaml, since these are way bigger than 1GB.
If that limit is reached, we get many napatech overflow drops, and suricata simply restarts itself (or its service is restarted by systemd).
I do not know whether this is a desired behavior or not.
Thx, MaJa
Is it possible to find out what kind of flow (ips, ports) is responsible for this large buffer resize request?
E.g., trigger a stream event rule?
Thx, MaJa